A security researcher has published today proof-of-concept code which an attacker can use to run malicious code on a remote computer via the Microsoft Edge browser.

More security news

The proof-of-concept (PoC) code is for a Microsoft Edge vulnerability —CVE-2018-8495— that Microsoft patched this week, part of its October 2018 Patch Tuesday. The vulnerability was discovered by Kuwaiti security researcher Abdulrahman Al-Qabandi, who reported his findings to Microsoft via Trend Micro’s Zero-Day Initiative program. Today, after making sure Microsoft had rolled out a fix, Al-Qabandi published in-depth details about the Edge vulnerability on his blog.

Besides the usual technical breakdown that accompanies all such vulnerability write-ups, the researcher’s also included proof-of-concept code so other researchers could reproduce the bug’s effect. Such PoCs are usually quite complex, but Al-Qabandi’s code is only HTML and JavaScript, meaning it could be be hosted on any website. According to the researcher, all the attacker needs to do is trick a user into accessing a malicious website hosting the PoC via an Edge browser, and then press the Enter key.

Once the user lets go of the Enter key, the PoC runs and executes a Visual Basic script via the Windows Script Host (WSH) default application.

In its current form, the PoC will only start the Windows Calculator app, but any skilled malware author can modify this code with ease to trigger more dangerous operations, such as silently downloading and installing malware. A video showing how easy is to trick a user into accidentally auto-hacking himself is embedded below.

Since the vulnerability requires social engineering, it is likely not that useful for automated malware campaigns, such as the ones executed via exploit kits and malvertising campaigns. Instead, the vulnerability may prove very useful for targeted attacks against selected, high-value targets.

Running Windows 10 with the October 2018 security patches will prevent attackers from using this vulnerability against Windows users.

Microsoft said it did not detect exploitation attempts for this vulnerability before it deployed a patch this Tuesday.